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The  Mission  of  AGARD 
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from  each  member  nation.  The  mission  of  AGARD  is  earned  out  through  the  Panels  which  are  composed  of  experts  appointed 
by  the  National  Delegates,  the  Consultant  and  Exchange  Programme  and  the  Aerospace  Applications  Studies  Programme 
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Preface 


The  trend  towards  highly  integrated  systems  continues  to  expand  at  a  rapid  rate.  Recent  examples  include  automated 
maneuvering  attack  systems,  fli^t  control/fire  control  coupling,  mission  sensor  management,  real-time  armament  fuzing  and 
propulsion  coupling/performance  optimization. 

The  prospect  of  improved  mission  effectiveness  through  integrated  systems  is  a  very  real  and  powerful  motivation  with  far 
reaching  implications.  Recent  advances  in  microprocessor  technology  are  bringing  about  fundamental  changes  in  several 
traditional  fiinctional  domains.  Specifically,  systems  architecture  requirements,  partitioning  considerations  and  functional 
performance  parameters  take  on  new  meaning  in  the  context  of  fully  integrated  flight  critical  systems.  Effective  system 
integration  focuses  on  end-item  functional  performance  using  the  most  efficient  mechanization  possible.  In  this  regard,  system 
wide  consideration  of  sensing  elements,  computational  elements  and  command  signalling  loops  are  critically  Important.  Crew 
station  design  considerations  and  the  pilot’s  role  must  also  be  thoroughly  assessed  vis-a-vis  varying  levels  of  task  automation 
and  overall  system  wide  integrity  management  requirements. 

Achieving  the  full  potential  of  integrated  systems  is  highly  dependent  upon  demonstrating  adequate  reliability,  safety  and 
survivability  Historical  evidence  indicates  that  interfacing  subsystems  can  introduce  serious  compromises  in  overall  system 
safety  and  performance.  High  integrity  software  is  essential.  Satisfying  stnngent  flight  critical  system  requirements  necessitates 
innovative  fault  tolerant  design  approaches  and  mechanization  schemes.  Adding  redundancy  levels  across  the  full  spectrum  of 
system  elements  is  a  self-limiting  approach  based  on  practical  considerations  of  weight,  volume,  cost  and  supportability. 
Reconfiguration  strategics,  graceful  degradation  and  aerodynamic  redundancy  arc  but  a  few  of  the  modern  concepts  currently 
under  development  State  estimation  techniques  in  conjunction  with  artificial  intelligence  technology  also  offer  potential  fault 
tolerance  enhancements  Blending  system  elements  for  fully  integrated  or  multi-purpose  usage  under  both  nominal  and 
extreme  operating  conditions,  requires  an  intensive  system  integration  effort  to  achieve  acceptable  levels  of  fault  tolerance. 

This  symposium  focused  on  advanced  fault  tolerant  design  concepts  and  their  practical  application  to  integrated  flight  critical 
military  systems 
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La  tendance  vers  les  systeines  hautement  mtegres  se  developpe  rapidement.  Dcs  exemples  recents  concernent  les  manoeuvres 
automaliques  dans  la  phase  d'attaque,  le  couplage  des  systemes  de  pilotage  automatique  el  de  controle  des  armemenis,  les 
dispositifs  permettant  la  supervision  de  la  mission,  la  mise  a  jour  automatique  d'armes  et  roptimisation  globale  dcs 
performances  par  inclusion  du  controle  de  la  propulsion. 

La  perspective  d’une  amelioration  de  refficacite  d'unc  mission  grace  a  I’integration  dcs  systemes  est  une  motivation  reellc  et 
pmssante  avee  des  consequences  a  long  terme.  Les  reccnis  progres  dans  Ic  domainc  des  microprocesseurs  apporient  des 
changements  fondamentaux  dans  certains  domaines  tradiiionncis.  Plus  prcciscment,  les  exigences  de  rarchitcclure  des 
systemes,  la  repartition  des  fonctions  et  les  performances  dcs  parametres  fonctionnels  prennent  un  nouveau  sens  dans  le 
contexte  de  systemes  hautement  integres  controlant  les  phases  entiques  de  la  mission.  L’cfficacite  des  systemes  mtegres 
recherche  les  performances  cn  bout  de  chaine  en  utilisant  la  meilleurc  automalisation:  les  elements  captcurs,  les  calculateurs  et 
les  informations  sur  I’ctat  du  syslemc  conditionncnt  le  succes.  La  conception  des  postes  de  pilotage  cl  les  roles  dcs  pilotes 
doivent  ctre  definis  avec  som  cn  face  des  laches  automatisces  ainsi  que  les  specifications  de  I’enscmble  du  systeme  largement 
iniegrc. 

L’aboutissemcnt  du  potcnliel  total  des  systemes  mtegres  depend  largement  de  la  demonstration  d’une  fiabilite,  securite  et 
survivabilile  adequates.  Dans  le  passe,  il  est  apparu  que  I’intcrconncxion  de  sous-systemes  peut  conduire  a  de  severes 
compromis  sur  les  performances  et  la  securite  globales  du  syslemc.  Dcs  logtciels  a  haute  fiabilite  sont  ncccssaires  La 
satisfaction  des  coniramtes  dues  a  la  phase  critique  de  la  mission  ncccssilc  dcs  concepts  nouveaux  dans  la  tolerance  aux  fames 
el  dans  les  schemas  d’architcclure  et  d’automalisation  du  syslemc.  L’adjonction  de  composants,  par  rtdondance  et  a  tous 
niveaux,  est  un  processus  qui  a  ses  propres  limites  pour  des  questions  de  poids,  de  volume,  de  cout  et  de  realisation.  Les 
strategics  de  reconfiguration,  de  degradation  acccptablcs  et  de  redondance  acrodynaiiiique  sont  quelqucs  uns,  parmi  la 
multitude,  dcs  concepts  couramment  utilises  Les  techniques  d’cstimation  de  I’clat  du  systeme  lices  a  celles  de  la  technologic  de 
rinielhgencc  arlificielle  offrent  cgalcment  un  poteniiel  de  resistance  aux  fames.  L’inlercomexion  poussee  d’clements  du 
systeme  pour  une  integration  lotale  ou  une  utilisation  polyvalenic  du  systeme  a  la  fois  cn  conditions  nominalcs  et  en  conditions 
extremes  necessitc  un  effort  d’integralion  inlcnsif  pour  atteindre  un  niveau  de  tolerance  acceptable  aux  pannes. 

Cc  symposium  s’est  interesse  aux  concepts  avanccs  de  systemes  tolcrants  aux  fautes,  a  leurs  applications  aux  systemes  mtegres 
mililaires  “entiques". 
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TECHNICAL  EVALUATION  REPORT 
by 

Bernard  Chaillot 

Sous-Direction  Coordination  et  E%aluation 
Direction  dos  Rechorches,  Etudes  et  Techniq«ioc 
00460  ARMEES  -  FRANCE 


EXECUTIVE  SUMMARY 

The  49th  symposium  of  the  AGARD  Guidance  and  Control  Panel  (GCP)  uas  held  in 
Toulousoi  France  10-13  October  1989.  The  symposium  dealt  uxth  advances  in  methods  and 
technologies  to  design  and  lalidate  highly  integrated,  fault  tolerant,  flight  critical 
guidance  and  control  systems. 

Over  the  past  20  years  the  guidance  and  control  community  has  pioneered  a 
number  of  significant  technology  advancements,  which  have  had  a  rather  profound  impact 
on  combat  capabilities  of  modern  day  military  aircraft. 

Current  technology  trends  clearly  point  in  the  direction  of  highly  mtegiated 
systems  to  achieve  increasing  levels  of  mission  effectiveness. 

The  symposium  pinpointed  requirements,  concepts,  flight  tests  and  clearance 
aspects  of  flight  critical  control  systems.  The  design  e\amples  covered  a  broad  range 
of  aircrafts  :  commercial  airplane,  military  aircraft  and  helicopter.  The  critical  and 
integrated  aspects  of  new  guidance  and  control  issues  were  addressed  and  empliasis  was 
given  to  Terrain  Following,  Terrain  Avoidance,  Reconf igurable  Coritiol,  Vehicle 
Management,  Mission  Management,  Maintenance  Diagnosis. 

The  trend  for  highly  integrated  systems  has  se\eral  far  reaching  implications 
with  respect  to  overall  system  wide  integrity  management.  For  c'iample,  recent  advances 
in  microprocessor  technology  have  brought  about  fundamental  changes  in  several 
traditional  functional  domains. 

As  a  result,  system  architectuie,  functional  positioning  and  system 
performance  parameters  take  on  now  meaning  in  the  context  of  a  total  in»ograied  system 
design. 


Classical  approaches  involving  ‘’brute-force”  redundancy  'n  conceit  with  the 
use  of  ultra  high  reliability  piece  parts  arc  self-1 imiting,  and  simplv  not  practical 
for  application  in  highly  integrated  military  aircraft  flight  critical  systems. 

For  military  aircraft  applications,  the  key  q*test  ions  remaui  one  of 
capability,  affordability  and  practicality. 

Another  key  issue  of  integrated  fault  tolerant  system  is  system  valid.ition. 
Although  traditional  methods  are  applicable  new  techniques  and  tosi  philosophies  are 
required  to  assure  overall  system  wide  integrity. 

The  GCP  Working  Group  9  dealt  with  this  key  issue  by  providing  detailed 
assessments  and  recommandat ions  for  the  future.  Final  report  is  planned  for  publication 
in  1990. 


Air  vehicles  are  increasingly  reliant  on  automated  flight  cxitical  systems  ; 
emphases  must  be  given  within  AGARD  to  automated  .iir  vehicle  studie^^  and  operational 
acceptance  of  crew  only  for  supervision. 

Modern  day  guidance  and  control  systems  must  be  considered  as  a  total  system 
entity,  including  the  human  pilot  or  supervisor  -  vehicle  interface. 

In  this  context,  innovative  fault  tolerant  technology  approaches  must  be 
developed  and  validated,  if  we  aie  to  achieve  expanded  mission  capabilities  through 
highly  integrated  systems.  Failure  to  properly  achieve  this,  could  further  aggravate 
accident  statistics  with  the  introduction  of  highly  integrated  flight  critical  systems. 


TECHNICAL  EVALCATION  REPORT  (TER)  on  the 
49TH  GlIDAKCE  AND  CONTROL  P\XEL  TECHNICAL  MEETING 
SvQpos  iiiQ  on 


FAULT  TOLERANT  DESIGN  CONCEPTS  FOR  HIGHLY  INTEGRaFEP  FLIGHT 
CRITICAL  GUIDANCE  AND  CONTROL  SYSTEMS 


1.  TER  PURPOSE 

This  Technical  Evaluation  Report  has  been  prepared  to  summarize  and  assess 
the  49th  Guidance  and  Control  Symposium. 

The  title  of  the  Svnposium  is  Fault  Tolerant  Design  Concepts  for  Highlv 
Integrated  Flight  Critical  Guidance  and  Control  Systems.  It  uas  held  in  Toulouse, 
France,  from  10  to  13  October  1989.  The  program  Chairman  for  this  meeting  was  Mr  J.K. 
RAMAGE. 


The  program,  as  presented  at  the  symposium,  is  appended  to  this  leport.  The 
complete  compilation  of  papers  uill  be  published  as  AGARD  Conference  Proceedings. 


2.  INTRODUCTION  TO  THE  SYMPOSIUM 

The  meeting  took  place  at  the  Ecole  Nationale  Superieure  de  1 'Aeronautique  et 
de  I'Espace  (or  SUP  AERO),  an  ingeiieer  school  (Haute  Ecole)  of  the  French  Ministry  of 
De fence . 

2.1*  Symiios  i  urn  objec  t  i  ; 

This  symposium  is  focused  on  idvanced  fault  tolerant  design  concepts  and 
their  practical  application  to  integrated  flight  critical  military  systems. 

The  trend  towards  highlj  integrated  systems  continues  to  e\pand  at  a  rapid 
rate.  Recent  e\amplos  include  automated  maneuvering  attack  s>slems,  flight  control/fire 
control  coupling,  mission  sensor  management,  real-time  armament  fuzing  and  propulsion 
coupling/performance  optimization. 

The  lure  of  improved  mission  effectiveness  through  integiated  s^slom^  is  a 
very  real  and  pov-erful  motivation  with  far  reaching  implications.  Recent  advances  in 
microprocessor  technology  are  bringing  about  fundamental  changes  in  several  traditional 
functional  domains.  Spec  i  f  ical 1> ,  systems  architecture  requirements,  partitioning 
considerat ions  and  functional  performance  parameters  take  on  new  meaning  in  the  conLc\t 
of  fully  integrated  flight  critical  s>stenis.  Effective  sjstem  integration  focuses  on 
end-iLom  functional  performance  using  the  most  efficient  mechanization  possible.  In 
this  regard,  sjstem  wide  consideration  of  sensing  elements,  computal lonal  elements  and 
command  signalling  loops  are  critically  important.  Crew  station  design  considerations 
and  the  pilots  role  must  also  be  thoroughly  assessed  vis-a-vis  varying  levels  of  task 
automation  and  overall  system  ^^ldc  integrity  management  requirements. 

Achieving  the  full  potential  of  integrated  systems  is  highlv  dopendeni  upon 
demonstrating  adequate  reliability,  safety  and  survivability.  Historical  evidence 
indicates  that  interfacing  subsvtcms  can  introduce  serious  compromises  in  overall 
system  safety  and  performance.  High  integrit>  software  is  essential.  Satisf>ing 
stringent  flight  critical  system  requirements  necessitate  innovative  fault  tolerant 
design  approaches  and  mechanizaf ion  schemes.  Adding  redundancy  levels  across  the  full 
spectrum  of  system  elements  is  a  self-limiting  api>roa< h  based  on  practical 
considerations  of  weight,  volume,  cost  and  supportabi 1 1 tv .  Reconf igurit ion  strategies, 
graceful  degradation  and  aerodynamic  redundancy  are  but  a  fes  of  the  modern  concepts 
currentlv  under  development.  State  estimation  techniques  in  conjunction  with  artificial 
intelligence  technolog>  also  offer  potential  fault  tolerance  enhancements.  Blending 
system  elements  for  fully  integrated  or  multi-purpose  usage  under  both  nominal  and 
e\trerae  operating  conditions,  requires  an  intensive  system  integration  effort  to 
achieve  acceptable  levels  of  fault  tolerance. 

In  his  introduction  the  Symposium  Chairman  indicated  the  relationship  between 
design  deficiencies  of  subsystem  interfacing  and  accident  statistics  due  to  loss  of 
aircraft  control.  "Brute- force’*  redundancy  and  ultra  high  reliable  piece  parts  are  not 
practical  ;  high  reliable  space  systems  arc  too  costly  for  military  fighter  ; 
innovative  fault  tolerant  technology  approaches  are  needed  to  design  capable, 
affordable  and  practicable  flight  control  systems. 

Over  the  past  20  years  the  guidance  and  control  community  has  pioneered  a 
number  of  significant  technology  advancements,  which  have  had  a  rather  profound  impact 
on  combat  capabilities  of  modern  day  military  aircraft.  Current  technology  trends 
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clearly  point  in  the  direction  of  highly  integrated  systess  to  achieve  increasing 
levels  of  Bission  effectiveness. 

This  trend  has  several  far  reaching  icplications  with  respect  to  overall 
systOB  wide  integrity  oanageaent.  For  exaDple*  recent  advances  in  microprocessor 
technology  have  brought  about  fundanental  changes  in  several  traditional  functional 
domains. 


As  a  result,  system  architecture,  functional  positioning  and  system 
performance  parameters  take  on  new  meaning  in  the  context  of  a  total  integrated  system 
design. 


2.2.  Syaposiua  orgamzAtion 

The  symposium  is  organized  under  the  following  sessions  : 


Papers  FR  OE 


UK  US 


I  -  TRENDS  IN  INTEGRATED  FLIGHT 

CRITICAL  SYSTEMS 

II  -  advanced  FAULT  TOLERANT  DESIGN 

CONCEPTS 

III  -  SYSTEM  ARCHITECTURES. 

MECHANIZATION  AND  INTEGRATION 
ISSUES 


1  1 


I 


IV  -  HIGH  INTEGRITY  SOFTWARE  DESIGN 
METHODOLOGIES  AND  ALGORITHMS 

V  -  SYSTEM  VALIDATION,  SIMULATION 
AND  FLIGHT  TEST  EXPERIENCE 


1  1 

3 


TOTALS 


22 


11 


This  table  takes  into  account  the  withdrawal  of  two  papers  (from  GERMANY), 

2 . 3  Ss’ctDosiura  attendance 

The  number  of  registered  participants  was  around  180.  The  actual  attendance 
was  144  with  the  following  distribution  : 

Germany  :  34 

France  :  33 

United  Kingdom  :  30 

United  States  :  28 

Italy,  The  Netherlands  :  5 

Spain,  Turkey  :  2 

Belgium,  Canada,  Denmark,  Greece,  Portugal  :  I 


3 .  REVIEW  OF  SYMPOSIUM  PROCEEDINGS 

The  SjmposiuRi  Keynote  Address,  meeting  papers  and  the  Round  Table  Discussion 
arc  ne\t  reviewed  in  sequence,  as  listed  in  Appendix  A,  together  with  session 
ident i f icat ion. 

3.1.  Kfynoto  Addross  b\  Gen,  Francois  Mauri^n,  Former  Chief  of 

Stuff  at  the  Ff'onch  Arnies,  Member  of  French  Consoil  d^Etat 

General  MAURIN  emphasized  the  need  for  increasing  and  improving  of  flight 
control  and  combat  aid  systems  in  order  to  maintain  NATO  air  force  technology  lead  over 
Its  adversaries,  numerically  superior.  He  addressed  the  technical,  human  and  financial 
constraints  of  design  and  development  of  future  guidance  and  control  systems.  He 
stressed  the  necessity  to  create  multidisciplinary  teams  to  deal  with  such  advanced 
project  in  order  to  decrease  complexity  and  cost  of  the  future  systems  ;  simplification 
instead  of  sophistication,  standardization  instead  of  uncompatibil ity  are  the  challenge 
;  and  so  collaborative  work  was  claimed  by  the  speaker,  especially  from  AGARD  and  its 
Guidance  and  Control  Panel. 
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3.2. 


All  22  technical  papers  arc  included  in  the  suonaries  and  asscssscnts  below. 

SESSION  1  Paper  11  :  FLIGHT  CRITICAL  DESIGN  CONCEPTS  FOR  LOW-LEVEL 
TACTICAL  GUIDANCE  AND  CONTROL 

by  H.R.  Griswold,  USA. 

This  paper  presents  several  of  the  eleoents  of  flight  critical  concepts  for 
low-level  tactical  operation  with  autonoaous,  accurate  target  acquisition  ;  the 
discussion  is  based  on  the  close  Air  Support  nission  using  a  fast  aoving, 
technologically  advanced  aircraft,  F16  derivative,  the  AFTI/F16.  The  guidance  and 
control  strategies  euphasize  integrity  considerations  and  perfornance-versus-safety 
issues.  Many  possibilities  are  offered  b\  the  use  of  on-board  terrain  data  and  the  need 
to  weigh  the  risks  of  database  use  is  pointed  out.  The  principal  issues  are  their 
accuracy  and  conpleteness.  The  architecture  of  the  guidance  and  control  systen  is 
described  and  the  various  redundancy  techniques  arc  listed.  Single  thread  sensors  and 
single  thread  cooputing  are  used  for  the  avionic  manager,  physically  redundant. 


Paper  12  :  EVOLUTION  DANS  LES  APPLICATIONS  CIVILES  (CIVIL 
APPLICATIONS  TRENDS)  by  P.  Traverse,  FR. 

Airbus  A  320  Electric  Flight  Control  Systen  needs  for  updated  system  for  A 
330/340  and  trends  are  reviewed  in  this  paper.  Emphasis  Is  given  to  processor  and 
system  architectures  and  in  general  to  dissimilar  redundancies. 

The  author  describes  the  existing  Command  and  Surveillance  Processors  and  the 
evolution  with  respect  to  the  ARINC  651  rule.  Much  emphasis  is  given  to  the  use  of  a 
distributed  system  with  redundant  processors  and  data  synchronisation.  A  Petri  Network 
based  protocol  is  specified.  Optical  Flight  Control  Systems  are  quoted  and  leads  for 
safety  assess  methods  are  presented. 

The  lecture  was  a  broad  and  comprehensive  survey  of  the  trends  of  the 
computerized  flight  control  syste.m  needed  for  civil  aviation  as  well  as  the  tools  to 
develop  and  clear  them. 


Paper  13  :  PILOT  MONITORING  OF  DISPLAY  ENHANCEMENTS 
GENERATED  FROM  A  DIGITAL  DATA  BASE  by 
P.J.  Bennett  and  J.J.  Cockburn,  UK. 

This  paper  presents  a  penetration  mission  and  system  called  PENETRATE.  This 
system  IS  designed  to  provide  aircrew  with  accurate  navigation  coupled  with  head-up  and 
head-down  displays  of  the  terrain.  The  heart  of  the  system  is  a  very  large  capacity 
military  optical  disc  drive  which  contains  terrain  elevation  data,  planimetry 
information,  intelligence  information  and  mission  information.  The  system  provides 
terrain  referenced  navigation,  ground  proximity  warning  and  displays  of  navigation, 
terrain  masking  and  threat  avoidance  data.  Emphasize  is  given  on  the  different  possible 
displays  of  terrain  to  the  aircrew  which  will  depend  on  the  visibility  of  ihc  scone 
(night,  day,  good,  bad  weather).  Range  of  digital  terrain  displays  depends  of 
visibility  (6  to  8  miles  in  standard  visibility,  further  for  low  visibility).  The  error 
of  navigation  is  proportional  to  the  smoothness  of  the  terrain  and  the  automatic 
mission  planning  system  has  to  sort  out  the  flight  path  in  order  to  achieve  accuraev 
but  also  low  intervisibil ity .  The  lecture  slides  showed  the  collations  between  actual 
photographies  and  obstruction  cues  which  were  obtained  during  flight  trials.  Data 
processing  and  compression  may  introduce  errors  and  optical  disk  mass  storage  has  a 
basic  error  rate.  Careful  processing  and  error  correction  *echniques  are  mentioned  as  a 
solution  but  are  not  described. 


This  session  addressed  the  cautious,  relatively  short  term  trends  in  civil 
FCS  and  the  new  guidance  and  control  issues  for  military  aircraft.  The  topics  of  this 
session  were  not  exhausted  but  were  addressed  further  ( reconf igurable  control,  mission 
management,  diagnostic  system,  scheduled  maintenance  issues). 


Session  XI  Paper  21  :  TECHNIQUES  FOR  TRANSIENT  ERROR  RECOVERY  AND 
AVOIDANCE  IN  REDUNDANT  PROCESSING  SYSTEMS  by 
S.J.  Adams,  H.J.  Dzwonczyk,  USA. 

This  paper  reviews  approaches  to  detect  and  restore  transient  fault  memories. 
The  rate  of  transient  memory  failures  as  compared  to  the  rate  of  fi.xed  failures  is 
highlighted.  Error  recovery  technique  is  described  which  use  a  Segment  Access  Signature 
Architecture,  Hardware  is  used  to  compute  a  chcckword  on  memory  segments  and  detect 
which  segments  have  been  corrupted  by  comparizon  between  redundant  processors  or  at 
different  times  in  a  single  processor.  But  recovery  is  a  problem  because  time  is 
critical  for  flight  control  system,  especially  for  Instable  aircraft.  So  a  second 
approach  to  tolerating  transient  faults  is  to  use  a  common  fault-tolerant  memory  which 
allows  errors  to  be  masked  and  corrected  eliminating  the  need  for  recovery. 
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Paper  22  :  THE  ROLE  OF  TIME-LIMITED  DISPATCH  OPERATION  IN 
FAULT  TOLERANT  FLIGHT  CRITICAL  CONTROL  SYSTEMS 
by  D*F.  AlXingeri  F.J«  Leongt  P.S.  Babcock, 

C.C.  Horan,  R.F.  LaPrad,  USA. 

This  paper  addresses  a  oethodology  of  establishing  dispatch  policici>  of 
fault-tolerant  systems  with  failed  components  for  a  limited  time  period. 

A  dual-redundant  control  actuation  system  is  used  to  illustrate  the  analytic 
techniques  which  permit  to  dispatch  classification  of  each  system  component  ; 
techniques  to  quantify  the  impact  on  system  performance  are  given.  Marko*.  model 
assumptions  are  taken  ;  but  some  work  is  undertaken  to  augment  the  model.  Advantages  of 
such  a  mode  of  operation  are  outlined. 

The  waited  advantage  of  such  a  mode  of  operation  is  that  it  permits  to 
postpone  maintenance  operations,  consolidating  both  the  logistics  and  the  expertise  of 
maintenance  operations  ;  it  is  a  step  towards  scheduled  mode  of  maintenance. 

But  maintenance  cost  figures  have  to  be  computed  to  assess  the  possible 
economic  benefit. 


Paper  23  :  A  FAULT  TOLERANT  FLY-BY-WIRE  SYSTEM  FOR 

MAINTENANCE  FREE  APPLICATIONS  by  R.W.  Dennis, 

A.D.  Hills,  UK. 

This  paper  describes  a  fault-tolerant  Primary  Flight  Computer  System  for 
application  primarily  to  comoercjal  aircraft.  The  test  configuration  on  the  Boeing  757 
iron  bird  rig  is  shown.  Reconf igurable,  redundant  architecture  concept  is  justified  and 
described.  A  serial  interface  device  is  specially  developed  to  support  the 
architecture.  To  complement  this  fault-tolerant  architecture  ASIC  design  minimizing 
failure  rate  of  each  sub-fonctional  element  is  presented. 

This  paper  addresses  perfectly  well  the  topic  of  this  symposium  and  the 
lecture  was  a  complete  overview  of  the  themes  to  be  developed  at  this  occasion  :  whj 
fault  tolerance  ?  How  Redundancy  management  philosophy,  tools  to  clear  the  design, 
result  discussion  and  outlooks. 


Paper  24  :  THE  INTEGRATED  AIRFBAME/PROPULSION  CONTROL 
architecture  SYSTEM  PROGRAM  <APSA)  by 
D.L*  Palumbo,  C.W.  Meissner,  C.C.  Cohen,  USA. 

This  paper  provides  the  example  of  the  integrated  Airf rarae/Propulsion  Control 
System  Architecture  Program  (lAPSA)  to  highlight  the  need  for  adopting  a  design  for 
validation  strategy  in  order  to  avoid  design  errors.  It  concludes  pessimistically  that 
the  limitations  of  analytic  techniques  can  be  too  restraining  and  comprehensive 
validation  tools  have  to  be  developed. 

Reliability  and  Performance  Analysis  tools  used  with  the  lAPSA  program  are 
presented. 


Paper  25  :  DEPENDABLE  SYSTEMS  USING  "VIPER"  by  J.  Kershaw, 

UK. 

This  paper  describes  a  microprocessor,  "ViPtR",  which  has  been  designed  to 
work  in  pairs  to  form  fault-detecting  computing  modules.  It  emphasizes  the  lessons  that 
have  been  learned  from  the  use  of  formal  mathematical  techniques  of  design  and 
verification. 

This  solution  arises  the  problem  of  specifying  and  verifying  the  correctness 
of  the  design  with  a  common  formal  mathematical  logic.  In  fact  intelligent  exhaustive 
simulations  are  also  needed. 


Paper  26  :  FAULT  TOLERANT,  FLIGHT  CRITICAL  CONTROL  SYSTEMS 
by  T.  Sadcghi,  G.  Mayville,  USA. 

This  paper  makes  an  overview  of  the  tools  recently  developed  within  General 
Electric  for  fault-tolerant  control  systems.  The  goal  is  to  design  a  reconf igurable 
flight  control  system  ;  an  architecture  is  outlined  and  simulation  results  are  given 
for  different  impairments.  Further  discussions  are  the  topics  of  paper  n*  53.  On-board 
expert  system  to  support  aircraft  diagnostics  and  vehicule  management  system  to  support 
maintainability  are  then  presented.  It  seems  that  all  these  concepts  are  implemented  in 
the  same  platform  and  that  it  is  a  little  bit  confusing. 
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There  was  little  inter-relation  aoong  the  papers  in  this  session.  There  were 
several  exaoples  of  fault  tolerant  concepts,  ranged  froD  cemory  subsysten  to  integrated 
Airfraoc/propulsion  control  systea.  But  redundancy  oanageaent  philosophy  and  safety 
assess  tool  and  sethod  discussions  were  particularly  appropriated. 


Session  III  Paper  31  :  METHODS  TO  PRESERVE  THE  INTEGRITY  OF  A 
COMBAT  AIRCRAFT  FLIGHT  CONTROL  SYSTEM 
THROUGH  MAJOR  UPGRADE  PROGRAMMES  by 
M.  Rossler,  W.  Schaidt,  G£. 

Based  on  presently  running  and  intended  upgrades  of  the  TORNADO  flight 
control  systea  the  paper  describes  what  aeasures  are  taken  to  preserve  integrity,  fault 
tolerance  and  pcrforaance  of  the  existing  systea  during  a  aajor  upgrade.  For  instance 
terrain  reference  navigation  node  is  going  to  be  iapleoented  together  with  the  present 
terrain  following  radar  system  and  combined.  Are  shown  the  TORNADO  flight  control 
system  and  the  impact  of  new  requirements  and  advanced  basic  technologies.  The  method 
for  the  introduction  of  major  modifications  consists  of  an  introduction  step  by  step  : 
hardware  modifications  in  the  first  step  while  the  functionality  of  the  system  remains 
unchanged,  software  codifications  in  the  second  step  after  implementation  and  testing. 
Methods  of  clearance  the  new  hardware  and  functions  are  described. 


Paper  32  :  FLIGHT  CONTROL  COMPUTER  APPROACH  FOR  MODERN 

FLY-bY-WIRE  AIRCRAFT  by  J.  Kesberg,  R.  Hockele, 
H.  Hohner,  H.  Jacobs,  GE. 

Withdrawn. 


Paper  33  :  RESEARCH  INTO  A  MISSION  MANAGEMENT  AID  by 
J.R.  Catford,  I.D,  Gray,  UK. 

This  paper  outlines  the  program,  the  Joint  venture  organization,  the 
prototype  work  and  the  goal  of  the  mission  management  aid  which  is  due  to  decrease 
pilot  workload.  The  general  architecture  of  the  system  is  given  and  emphasis  is  placed 
on  the  core  functions  and  integrity. 

Mission  Management  Aid  System  is  intended  to  be  only  a  technical  adviser  for 
aircrew  and  only  conventional  information  technology  techniques  are  planned  to  be  used 
so  it  has  not  really  to  comply  with  safety  critical  requirements.  The  program  must  be 
seen  as  a  prototype  exercise  in  order  to  implement  and  validate  a  number  of  algorithms 
and  after  that  to  specify  the  actual  aid  system. 


Paper  34  :  INTEGRATED  DIAGNOSTICS  FOR  FAULT  TOLERANT 
SYSTEMS  by  H.A.  Funk,  M.M.  Jeppson,  USA. 

This  paper  addresses  the  integrated  approach  to  the  maintainability  of  flight 
control  systems.  It  emphasizes  the  goals,  the  resources  available  and  the  constraints 
of  the  Integrated  Diagnostics  concept. 

An  implementation  strategy  of  an  approach  utilizing  both  a  portable 
maintenance  aid  at  the  flight  line  and  on-aircraft  in-flight  diagnostic  resources  is 
presented  along  with  a  technique  which  ensures  commonality  between  the  on-aircraft  and 
off-aircraft  systems. 

The  paper  discusses  the  results  of  a  present  study  of  integrated  mainlenanco 
and  concludes  that  the  functional  model  based  diagnostic  approach  provides  a  common 
basis  for  information  transfer. 

Once  again  the  integrated  diagnostics  system  is  not  integrated  to  flight 
critical  control  system  and  so  is  not  submitted  to  fault  tolorancy.  The  emphasis  is 
given  on  how  to  share  data  and  the  answer  is  to  model  in  varying  levels  of  details. 


Paper  35  :  A  BYZANTINE  RESILIENT  PROCESSOR  WITH  AC*  ENCODED 
FAULT-TOLERANT  SHARED  MEMORY  by  R.  Harper, 

B.  Butler,  USA. 

This  paper  addresses  the  negative  effect  on  the  reliability  of  the  increase 
of  memory  size  requirements.  It  describes  the  use  of  an  encoded  memory-based  fault- 
tolerant  processor  architecture  under  development  at  the  Charles  Stark  Draper 
Laboratory.  The  paper  successively  presents  an  overview  of  the  architecture  and  its 
operation,  a  reliability  analysis  where  it  is  compared  to  quadruply  redundant  designs 
and  a  performance  analysis.  The  paper  concludes  that  its  primary  benefits  over  other 
Byzantine  resilient  architecture  are  the  elimination  of  memory  realignment  time,  the 
improvement  in  short  terra  reliability  obtained  by  the  reduced  memory  requirement  and 
the  hardware  implemented  memory  scrubber,  the  reduced  fault  latency  due  to  the 
continual  and  implicit  fault  masking,  and  the  improved  high-iteration-rate  performance. 
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Byzantine  resilience  is  defined  as  a  sort  of  resilience  to  any  possible 
errors  in  the  subsystem,  but  how  to  deal  with  the  possible  fault  of  system*  monitor  ? 
Another  layer  of  processing  is  needed  which  has  obviously  to  be  fault  tolerant. 


During  the  symposium  the  Session  Chairman  took  the  opportunity  to  offer  the 
speakers  a  feedback  from  the  audience.  A  couple  of  thoughts  were  exchanged  about  system 
architecture  update  (is  it  possible  ?),  reconfigurated  flight  critical  aspect,  error 
propagation,  error  diagnostic  and  environment  monitoring. 


Session  IV  Paper  41  ;  A  HIGHLY  RELIABLE,  AUTONOMOUS  DATA 

COMMUNICATION  SUBSYSTEM  FOR  AN  ADVANCED 
INFORMATION  PROCESSING  SYSTEM  by  G.  Nagle, 

T.  Masotto,  L.  Alger,  USA. 

This  paper  describes  the  design  and  implementation  of  the  prototype 
input/output  communication  system  for  the  Advanced  Information  Processing  System  (AlPS) 
under  development  at  the  Charles  Stark  Draper  Laboratory.  The  goals  are  presented  which 
are  to  design  general  purpose  computer  systems  and  input/output  subsystems  in  order  to 
ease  modifications  or  extensions  of  flight  critical  systems.  AlPS  addresses  reli  bility 
issues  related  to  data  communications  by  the  use  of  reconf igurable  input/output 
networks  including  spare  interconnections.  Performance  issues  are  addressed  by  using  a 
paralleled  cor&puter  architecture  which  decouples  input/output  redundancy  management  and 
input/output  processing  from  the  computational  stream  of  an  application  and  so  the 
communication  subsystem  is  transparent  to  the  user. 


Paper  42  :  FORMALISATION  DE  DEVELOPPEMENTS  :  DE  LA  THEORIE 
AU  PROGRAMME  (FORMALIZING  DEVELOPMENTS  :  FROM 
THEORY  TO  PRACTICE)  by  M.  Lemoine,  K.  Bechane, 
FR. 


This  paper  addresses  software  development  method  issues.  A  project  is 
presented,  the  Tool  Use  Project  and  the  language  of  formalization  is  described.  The 
DEVA  language  is  a  high-order  typed  j^calculus.  Through  the  case  study  of  expressing 
part  of  the  Jackson’s  Structured  Programming  method  in  the  DEVA  framework  the  authors 
show  the  interest  of  formal  techniques  of  software  development. 

So  if  the  fault  tolerance  requirements  are  correctly  expressed  in  the 
specification,  this  met)iod  provides  a  software  which  is  safe  proven  in  a  mathematical 
sense*  Doubts  arise  from  the  complexity  and  unpredictability  of  the  application  complex 
environment  and  from  the  original  specification  completness.  Work  must  be  undertaken  in 
that  way. 


Paper  43  :  METHODOLOGIE  DE  DECOMPOSITION  D’APPLICATION  DE 
NAVIGATION  CRITIQUE  EN  ELEMENTS  SIMPLES  (BREAK¬ 
DOWN  METHODOLOGY  FOR  FLIGHT  CRITICAL 
APPLICATIONS  INTO  ELEMENTARY  COMPONENTS)  by 
B.  Chavana,  F.  de  Sainte  Marcsville,  FR. 

The  software  design  of  a  helicopter  primary  reference  system  is  presented. 
The  design  methodology  goals  and  implementation  are  depicted.  The  simplification  method 
IS  based  on  splitting  deterministic  processes  and  random  interruptions  ;  the  real  time 
complexity  is  eliminated  from  each  software  component  and  only  supported  by  a  monitor  ; 
simplification  effects  on  software  production  is  emphasized  (modularity, 
standardization).  The  tests  were  said  to  be  very  effecti\e  but  no  demonstration  was 
supplied . 


Paper  44  :  FAULT  TOLERANCE  VIA  FAULT  AVOIDANCE  by 
B.D.  Bramson,  UK. 

The  philosophy  of  the  paper  is  that  testing  is  good  at  finding  errors  but  bad 
at  demonstrating  their  absence  ;  also  safe  software  production  conditions  are  first 
reminded  and  then  it  is  claimed  that  a  proof  of  correctness  of  one  of  the  software 
components  can  imply  a  proof  of  safety  of  the  system.  A  hypothetical  processing  system 
design  illustrates  the  claim.  MALPAS  intermediate  language  and  compliance  analy'sis  are 
respectively  presented  as  a  design  language  and  a  verification  technique. 

Before  getting  methods  for  proof  of  correctness  in-built  system  production 
this  paper  illustrates  the  need  for  minimizing  software  complexity  in  order  to  liave 
mathematically  based  validated  software.  System  notion,  when  it  expands,  involves 
customer  specifications  as  well  and  it  seems  we  are  looking  a  perfect  world  production 
method,  what  is  highly  utopia. 
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Paper  45  ;  HIGH  INTEGRITY  SOFTWARE  FOR  SAFETY  CRITICAL 
TF/FA  FUNCTIONS  by  H,  Wald,  H.D.  Lerche,  GE. 


W*  thdrawn. 


The  papers  of  this  session  address  how  fault  tolerance  can  be  achieved  in 
software.  The  answers  are  various  :  some  are  negative  and  claim  for  software  complexity 
minimization  ;  some  others  suggest  several  methods.  And  among  them  there  is  need  to 
quantify  probability  of  faults  in  order  to  improve  the  design  and  to  have  software 
better  and  better.  Today  the  bottom  line  is  the  human  resource.  A  good  method,  a 
powerful  technique  such  as  DEVA  is  waited  for. 


Paper  51  :  PILOTED  SIMULATION  VERIFICATION  OF  A  CONTROL 

RECONFIGURATION  STRATEGY  FOR  A  FIGHTER  AIRCRAFT 
UNDER  IMPAIRMENTS  by  R.  Mercadante,  USA. 

This  paper  presents  the  results  obtained  during  piloted  simulation  of  the 
Control  Reconf igurable  Combat  Aircraft  (CRCA).  This  study  was  aimed  at  the  verification 
of  the  capability  of  a  reconfiguration  strategy  to  improve  aircraft  controlability . 
CRCA  configuration,  damage  and  failure  modeling,  reconfiguration  strategy  are 
described.  Test  conditions  are  outlined,  then  the  results  are  shown  using  pilot 
workload  measurement,  target  tracking  scoring  and  pilot  (using  Cooper-Harper  rating 
scale).  The  improvements  of  reconfiguration  of  the  control  laws  following  impairments 
are  discussed. 

The  lecture  was  accompanied  by  a  video  showing  the  pilot’s  view  through  the 
Head-Up  Display  while  flying  with  an  impairment  during  short  take-off  and  landing 
flight  condition,  successively  without  and  with  reconfiguration  activated.  This 
illustrated  a  very  important  feature  :  the  necessity  to  alert  the  pilot  about  the 
flight  envelope  status  and  it  was  said  that  pilots  were  involved  in  its  design.  This 
lecture  was  very  attractive.  Questions  were  about  extension  of  reconfiguration  to 
engine  or  fuel  circuit  failures  and  about  impairment  statistics  data  to  help  to  design 
reconfiguration  laws. 


Paper  52  :  FLIGHT  TEST  RESULTS  OF  FAILURE  DETECTION  AND 

ISOLATION  ALGORITHMS  FOR  A  REDUNDANT  STRAPDOWN 
INERTIAL  MEASUREMENT  UNIT  by  F.R.  Morrell, 

P.R,  Motyka.  M.L.  Bailey,  USA. 

Two  algorithms  for  failure  detection  and  isolation  of  a  skewed  array  of 
collocated  inertial  sensors  are  described  and  compared.  Fault  tolerance  is  provided  by 
edge  vector  test  and  generalized  likelihood  test  algorithms.  To  detect  the  wide  range 
of  failure  magnitudes  in  inertial  sensors,  fault  detection  and  isolation  are  developed 
in  terms  of  a  multilevel  structure. 

The  development  of  accelerometer  parity  equations  and  the  reduction  to  sensor 
errors  are  described  and  threshold  compensation  techniques  are  presented.  Flight  test 
equipments  and  results  are  shown  which  allow  a  comparison  of  both  algorithms  and  a 
discussion . 

The  results  are  consistent  but  do  not  apply  in  this  example  to  accurate 
navigation,  and  redundancj  concepts  with  strapdown  inertial  system  are  fairly  old  now. 


Paper  53  :  FLIGHT  DEMONSTRATION  OF  A  SELF-REPAIRING  FLIGHT 
CONTROL  SYSTEM  IN  A  NASA  F-15  FIGHTER  AIRCRAFT 
by  J.M.  Urnes,  J,  Stewart,  R.  Eslinger,  USA. 

This  paper  presents  the  real-time  reconfiguration  development  program  that  is 
going  on  in  the  USA.  Software  design  considerations  are  presented  in  paper  n’  26.  Paper 
51  is  reporting  the  same  relevant  researches.  The  NASA  F-15  flight  test  of  a  self 
repairing  flight  control  system  which  incorporates  real-time  reconfiguration  and  expert 
maintenance  diagnostics  is  described.  The  heart  of  reconfiguration  is  a  Failure 
Detection,  Isolation  and  Estimation  Algorithm  where  the  e.xpcctcd  answer  of  the  command 
is  compared  to  the  actual  answer.  Reconfiguration  process  and  results  are  presented. 
Future  prospects  are  outlined. 

Here,  too,  emphasis  is  given  on  man-machine  interface  ;  cues  of  maneuver 
capability  are  given  to  the  pilot.  The  illustration  of  an  on  board  expert  system  is 
very  attractive.  Questions  arise  from  the  need  to  sophisticate  the  system  which  will 
have  to  take  into  account  several  impairments  and  to  analyse  viability  of 
reconfigurated  impaired  aircraft  status. 
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Paper  54  :  FLIGHT  TESTING  OF  A  REDUNDANT  EXPERIMENTAL 

FbW/FbL  HELICOPTER  CONTROL  SYSTEM  by 
H.  Beckeri  K.  Bender,  K.D.  Holle,  G.  Mansfeld, 

GE. 

This  paper  describes  objectives,  architecture,  hardware,  st.ftware  and  flight 
test  results  of  a  helicopter  flight  control  system.  Investigation  of  new  hardware 
technologies  and  components  are  aimed  at  improving  reliability.  A  yaw  control  system 
with  fiber  optic  communication  between  sensors  and  actuation  is  implemented.  Fiber 
Optic  interfaces  also  the  three  redundant  flight  control  computers.  Handling  quality 
improvement  is  claimed.  Loss  of  control  is  tested. 


Paper  55  :  UN  SYSTEME  DE  REFERENCES  PRIMAIRE  DE  HAUTE 

INTEGRITE  (A  HIGH  INTEGRITY  FLIGHT  DATA  SYSTEM) 
by  J.L.  ROCH,  J.  CONTET,  FR. 

This  paper  presents  the  flight  data  system  high  integrity  and  high 
reliability  issues  and  the  answer  brought.  Software  methods  are  presented  in  paper  n* 
43.  It  describes  the  overall  architecture  of  the  Super  PUMA  HK2  integrated  flight  and 
display  system  and  the  requirements  for  the  primary  reference  system.  Quality  aspects 
of  the  design  are  outlined  and  clearance  aspects  are  described  ;  especially  industrial 
development  method  approach  is  emphasized. 

The  paper  does  not  bring  validation  of  reliability  requirements.  This  is 
because  the  flight  control  system  reliability  depends  on  the  architecture  of  the 
overall  system  which  includes  for  this  helicopter  application  two  flight  data  systems, 
back-up  sensors  and  a  vertical  gyro  for  doubt  erasing.  So  full  budget  is  at  a  higher 
level  and  the  reader  is  a  little  bit  frustrated. 


Except  this  last  paper,  which  is  session  II  or  III  relevant,  four  papers 
illustrate  the  extensive  and  comprehensive  flight  tests  to  be  done  to  validate  a 
concept.  There  is  no  answer  to  say  if  it  is  sufficient. 


3.3.  Round  table  discussions 

The  round  table  is  set  up  to  provide  a  resume  of  each  major  topic  of  the 
symposium  and  serve  as  a  catalyst  for  discussion  and  conclusion  by  all  attendees  of  the 
symposium. 

Round  table  participants  and  selected  areas  are  : 

Mr  J.K.  RAMAGE,  Chairman 

Dr  M.  PELLEGRIN,  Flight  Critical  System  Trends, 

Dr  R.C.  ONKEN,  Advanced  Fault  Tolerant  Design  Concepts, 

Dr  E.B.  STEAR,  System  Architectures,  Mechanization  and 
Integration  Issues 

Dr  J.  KERSHAW,  Software  Design  Methodologies  and 
Algorithms 

Dr  G.T.  SCHMIDT,  System  Validation,  Simulation  and  Flight 
Test  Experience 


STATEMENTS  AND  DISCUSSIONS  ; 

Dr  M.  PELLEGRIN,  in  charge  of  System  Trends,  took  a  provocative  position 
suggesting  the  on-board  crew  elimination.  Today  flight  of  a  modern  aircraft  is  made  of 
sequential  automatic  modes  which  are  engaged  by  the  pilot.  Surety  depends  on  Air 
Traffic  Control  (ATC),  crew  and  flight  control  system  errors.  Trends  are  to  get  an 
automatic  ATC  and  to  increase  flight  control  system  reliability  ;  what  about  the  crew  ? 
It  is  not  possible  to  rely  on  one  pilot  because  of  its  poor  reliability  (lO"^/h)  so  the 
question  is  to  suppress  or  not  the  two  pilots  and  to  have  instead  supervisor  crewman. 
Dr  PELLEGRIN  forecasts  the  suppression  will  be  possible  within  5  years. 

The  audience  reaction  was  that  such  a  change  need  an  evolution  of  passenger 
mind  and  that  software  error  treat^'ent  receives  a  solution. 

Dr  R.C.  ONKEN  highlighted  the  need  to  design  probability  figures.  This  is 
complicated  because  Flight  Control  Systems  are  critical  with  respect  to  hardware  or 
software  failures  but  also  critical  with  respect  to  enemy  threats.  And  in  peace  time, 
when  threats  are  not  there,  training  need  is  safety  critical  due  to  military  flights 
over  populated  area.  Advanced  functions,  such  as  vehicle,  flight  and  mission 
managements  whic)i  were  exclusively  assumed ’by  the  pilot,  are  integrated  and  so  the 
failure  rate  is  increasing.  How  could  we  measure  the  degree  of  tolerance  of  integrated 
systems  ? 


A  pessimistic  answer  was  given  by  the  audience.  Failure  rate  objectives  for 
advanced  fault  tolerant  systems  are  too  high  and  too  difficult  to  validate  with 
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sophisticated  but  tedious  simulations  ;  the  law  is  to  be  broken  as  arc  the  laws  made 
to  be  violated  ! 

Dr  E.B>  STEAR  emphasized  the  necessity  to  cope  with  increasing  complexity  due 
to  the  add  of  vehicle  management  system*  mission  management  system,  etc...  and  the 
presence  of  not  only  random  failures  but  also  Byzantine  or  intentional  failures.  "There 
are  several  key  issues  for  the  future,  most  of  them  we  don't  know  what  to  do"  the 
speaker  said. 

Several  comments  were  made.  R  and  D  methods  must  be  transitioned  to 
production  line  in  order  to  ease  the  functional  complexity  transfer  towards 
application.  Use  diagnostic  to  fit  system  and  make  sure  it  works.  Use  protection 
against  designer  rather  than  programmer,  report  circumstances  of  failure  (what 
maneuver,  what  environment,  etc...).  Validation  problem  is  a  key  issue  :  It  would  be  a 
sort  of  limiting  aspect  of  validation  to  make  do  with  running  validation  from  the 
beginning  of  the  program  as  it  is  recommanded. 

Dr  J.  KERSHAW  was  pleased  to  hear  about  powerful  techniques  such  as  DEVA  but 
reminded  that  traditional  practice  was  made  of  good  methods  ;  subsystem  partitioning 
helps  to  reduce  complexity  but  it  assumes  that  if  a  component  Is  correct  it  stays 
correct  ;  the  speaker  sees  no  conflict  between  mission  management  concept  and  flight 
control  design  but  rather  synergy.  The  question  posed  was  if  traditional  methods  are 
good  but  are  not  able  to  supply  software  failure  rate  figures,  is  good  quality  feeling 
enough  ? 


DR  G.T.  SCHMIDT  summed  up  the  issue  of  flight  test  results  :  because  of 
their  specific  environment  what  is  their  value  ?  A  data  bank  would  be  very  useful. 

Mr  J.K.  RAMAGE  concluded  the  symposium  and  addressed  the  key  issues  of  fault- 
tolerant  flight  control  systems  ;  new  innovative  concepts  and  methods  were  interesting 
to  note  and  trade-off  between  mission  performance,  reliability,  safety  and 
affordability  could  be  got  at  a  still  higher  level  for  both  parts  thanks  to  powerful 
techniques,  new  tools  and  skilled  people. 

Clearly,  todays  trend  towards  highly  integrated  systems  has  several 
significant  implications  with  respect  to  overall  system  integrity  and  validation 
methodologies.  It’s  encouraging  to  note  that  several  innovative  fault  tolerant  design 
concepts  are  being  developed  within  NATO  to  provide  the  necessary  system  integrity  for 
achieving  improved  mission  capabilities.  Keynote  speaker  Gen  Maurin  highlighted  the 
need  to  consider  modern  day  guidance  and  control  systems  as  a  total  entity,  including 
the  pilot  vehicle  interface.  In  particular,  one  must  constantly  balance  mission 
performance  against  affordability  and  safety.  Failure  to  properly  achieve  this,  could 
further  aggravate  accident  statistics  with  the  introduction  of  highly  integrated  flight 
critical  systems.  Significant  technical  challenges  remain  to  assure  acceptable  risk 
levels. 


4.  CONCLUSIONS 

The  conclusions  presented  here  are  those  of  the  author,  based  on  the  written 
papers,  presentations,  discussions  and  on  the  forms  handed  in  by  the  symposium 
delegates . 

4.1  An  overall  picture  of  the  topics  presented  in  this  symposium  is  given  by  the 
distribution  of  the  papers  related  to  existing,  updated  or  new  systems,  to  specific 
technology  advances  or  to  safety  aspects. 

Fault-Tolerant  Flight  Control  Sub-system/system  : 

.  existing  :  12  (A  320)  ;  43,55  (PUMA  PSR)  ;  52  (INS)  ; 

.  updated  :  11  (AFTI/F16)  ;  12  (A  330/340)  ;  23  (Commercial 
Airplane  FCS)  ;  31  (TORNADO) 

.  new  :  12  (Commercial  Airplane)  \  24  (integrated 

Airframe/Propulsion  Control  System)  ;  26,  51,  53  (CRCA). 


Fault-Tolerant  Technique/Technology  Advances  : 
.  Microprocessor  :  23,25  ; 

.  Memory  :  21,35  ; 

.  Communication  Network  :  41  ; 

.  Data  Base  :  11,23  ; 

.  Displays  :  13  ; 


Optical  :  12,54  ; 
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.  Expert-System  :  26,53  ; 

.  High  Order  Language  :  42tAA. 

Heu  Guidance  and  Control  Issues  : 

.  Terrain  Following,  Terrain  Avoidance  :  H,  13,  31  ; 

.  Reconfigurable  control  :  26,53  ; 

.  Mission,  Vehicle  Management  :  26,33  ; 

.  Diagnosis  :  26,  34  ; 

.  Scheduled  Maintenance  :  22  ; 


Safety  Assess  Tests  and  Methods  :  31,  44,  51,  53,  54,  55  ; 

Safety  Assess  Tools  :  12,  24,  25. 

4.2  The  state  of  the  art  Flight  Control  Systems  have  been  reviewed.  System 
Architecture  is  lane  oriented  and  system  failure  tolerance  capability  is  achieved 
through  parallel  redundancy.  Requirements  are  more  stringent  for  civil  applications.  In 
these  applications  more  emphasis  is  given  on  channelising  and  dispersing  the  flight 
control  functions.  Commercial  Aircraft  Controller  seems  to  be  more  fault-tolerant 
effective  than  military  Aircraft  Controller. 

4.3  There  is  a  general  consensus  in  the  technical  community  that  the 
technology  is  in  hand  for  addressing  new  guidance  and  control  issues  such  as 
reconfigurable  control  and  vehicle  management  and  for  allowing  pilot  workload  to 
decrease  with  mission  management  aid  system.  With  respect  to  fault  tolerance  crew  might 
be  the  bottleneck.  Out  of  40  accidents  a  year  for  both  commercial  and  military 
aircrafts  due  to  control  function  loss,  80  %  are  due  to  the  crew  or  to  procedure  rules. 
A  complete  flight  automatic  system  is  claimed  to  increase  reliabilitj.  However  the  key 
of  this  new  step  success  is  the  development  of  means  to  assure  operational  decision 
leakers  -  or  passengers  -  that  they  are  not  at  the  mercy  of  a  machine. 

4.4  Flight  Control  System  will  become  more  complex  due  to  increasing  number 
of  functions  (Terrain  Following,  Terrain  Avoidance,  Reconfigurable  Control,  Vehicle 
Management,  Maintenance  Diagnosis,  Mission  Management...)  and  integration  (propulsion, 
fire  control,  ...).  Commonality  of  hardware  and  software  must  be  encouraged  to  increase 
confidence  and  to  lower  cost.  Especially  reusability  of  software  must  be  encouraged  ; 
development  of  means  such  as  software  partitioning,  complex  software  replacement  by 
simple  hardware  is  needed  because  it  seems  that  formal  proof  could  bo  achioNod  for 
simple  application. 

4.5  The  state  of  the  art  Flight  Control  System  validation  methods  and  tools 
have  been  reviewed.  The  traditional  method  can  be  qualified  of  good  ;  it  includes 
modelling  phase  with  Failure  Modes  and  Effects  Analysis  (F.M.E.A.),  the  Augmented 
Failure  Modes  and  Effects  and  Criticality  Analysis  (FMECA)  and  Fault-Tree  Methodology, 
then  iron  bird  integration  and  testing,  flight  test  and  mi-serv’ice  operation  incident 
report  evaluation.  No  theoretical  framework  exists  for  the  validation  process.  A 
"reliability  insurance"  must  be  applied  ;  it  consists  to  include  validation  in  the 
design  and  to  consider  validation  from  the  creation  of  the  project.  Computer-Aided 
Reliability  Estimation  will  be  very  useful. 

4.6  At  present,  because  of  item  4.4  issue,  Flight  Control  S.vstem  updating  is 
a  very  hard  job. 

4.7  Testing  is  only  good  at  finding  errors  but  not  at  demonstrating 
their  absence.  So  there  is  a  need  for  mature  formal  proof  methods.  This  need  is  at 
present,  not  satisfied  even  if  some  progress  has  been  made.  The  key  issue  of  fault 
tolerant  system  is  validation. 


5.1  The  key  issue  of  fault-tolerant  Flight  Control  System  must  be  addressed 
continuously.  With  respect  to  the  results  of  the  GCP  Working  Group  9  on  validation  of 
flight  critical  control  systems  follow-on  action  should  be  given  to  a  Lee  jro  Series  to 
explain  validation  methods  or  what  methods  are  asked  for  (i.e.  formal  proof 
validation) . 

5.2  Air  vehicles  are  still  more  and  more  automatic  because  technology  push 
and  requirement  pull  (especially  fire  control  and  threat  avoidance  system  level)  ;  the 
dialogue  between  man  and  machine  is  more  and  more  difficult  when  the  responsabilities 
are  not  clear  or  the  baridwidths  different.  Semi-automatic  systems  are  hard  to  manage 
because  man  presence  hinders  the  whole  system  modelling  j  it  is  the  reason  why  emphasis 
must  be  given  on  automatic  air  vehicle  studies  and  operational  acceptance  of  crew  only 
for  supervision. 
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APPENDIX 
PINAL  PROGRAM 


FAULT  TOLERANT  DESIGN  CONCEPTS  FOR  HIGHLY  INTEGRATED  FLIGHT  CRITICAL  GUIDANCE  AND 

CONTROL  SYSTEMS 

Programme  Chairman  :  Mr.  James  K.  RAMAGE  (US) 


KEYNOTE  ADDRESS  by  General  Francois  Maurin,  Member  of  French  Conseil  d’Etat  and  Former 
Chief  of  Staff  of  the  French  Armies. 


Session  I  -  TRENDS  IN  INTEGRATED  FLIGHT  CRITICAL  SYSTEMS 
Chairman  :  Dr.  M.J.  PELEGRIN  (FR) 

11  :  Flight  critical  design  concepts  for  low-level  tactical  guidance 

and  control 

M.R.  GRISWOLD  General  Dynamics  Corporation,  Fort 

Worth  Division,  TX,  USA 

12  :  Evolution  dans  les  applications  civiles 

Civil  applications  trends 

P.  TRAVERSE  Aerospatiale,  Toulouse,  FR. 

13  :  Pilot  monitoring  of  display  enhancements  generated  from  a  digital 

data  base 

P.J.  BENNETT,  J.J.  COCKBURN Ferranti  Defence  System  Limited 

Edinburgh,  UK 


Session  II  -  ADVANCED  FAULT  TOLERANT  DESIGN  CONCEPTS 
Chairman  :  Mr.  U.K.  KROGMANN  (GE) 

21  :  Techniques  for  transient  error  recovery  and  avoidance  in 

redundant  processing  systems 

S. J.  ADAMS,  M.J.  DZWONCZYK  The  Charles  Stark  Draper  Laboratory, 

Inc.,  Cambridge,  MA,  USA 

22  :  The  role  of  time-limited  dispatch  operation  in  fault  tolerant 

flight  critical  control  systems 

D.F.  ALLINGER,  F.J.  LEONG  The  Charles  Stark  Draper  Laboratory, 

P.S.  BABCOCK  Inc.,  Cambridge,  MA,  USA 

G.C.  HORAN,  R.F.  LaPrad  Pratt  and  Whitney  Aircraft  Division, 

E.  Hartford,  Connecticut,  USA 

23  :  A  fault  tolerant  fly-by-wire  system  for  maintenance  free 

applications 

R.W.  DENNIS,  A.D.  HILLS  GEC  Avionics  Flight  Controls  Division, 

Rochester,  Kent,  UK. 

24  :  The  integrated  airframe/propulsion  control  system  architecture 

program  (lAPSA) 

D.L.  PALUMBO,  C.W.  MEISSNERNASA  Langley  Research  Center,  Hampton, 

VA,  USA 

G.C.  COHEN  Boeing  Advanced  Systems  Co.,  Seattle, 

WA,  USA 

25  :  Dependable  systems  using  "VIPER" 

J.  KERSHAW  RSRE,  Malvern,  UK 

26  :  Fault  tolerant,  flight  critical  control  systems 

T.  SADEGHI,  G.  MAYVILLE  General  Electric  Company,  Biiighampton, 

NY,  USA 
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SESSION  -  III  SYSTEM  ARCHITECTURES,  MECHANIZATION  AND  INTEGRATION 
ISSUES 

Chairnan  :  Professor  E.B,  STEAR  (US) 

31  :  Methods  to  preserve  the  integrity  of  a  coobat  aircraft  flight 
control  systen  through  najor  upgrade  prograones 

M.  ROSSLER,  W.  SCHMIDT  MBB  Munchen,  GE 

33  :  Research  into  a  mission  management  aid 

J.R.  CATFORD  GEC  Avionics,  Rochester,  Kent,  UK 

I.D.  GRAY  Ferranti  Defence  Systems.  Edinburgh, 

OK 

(Both  of  the  MMA  Joint  Venture,  RAE, 
Farnborough,  Hants) 

34  :  Integrated  diagnostics  for  fault  tolerant  systems 

H.A  FUNK,  M.M.  JEPPSON  Honeywell  Systems  and  Research  Center, 

Minneapolis,  MN,USA 

35  :  A  Byzantine  resilient  processor  with  an  encoded  fault-tolerant 

shared  memory 

R.E.  HARPER,  B.  BUTLER  The  Charles  Stark  Draper  Laboratory, 

Inc.,  Cambridge,  MA,  USA 


SESSION  IV  -  HIGH  INTEGRITY  SOFTWARE  DESIGN  METHODOLOGIES  AND 
ALGORITHMS 

Chairman  :  Professor  J.T.  SHEPHERD  (UK) 

41  :  A  highly  reliable,  autonomous  data  communication  subsystem  for  an 

advanced  information  processing  system 

G.  NAGLE,  T.  MASOTTO,  The  Charles  Stark  Draper  Laboratory, 

L.  ALGER  Inc.,  Cambridge,  MA,  USA 

42  :  Formalisation  de  developpements  :  de  la  theorie  au  programme 

Formalizing  developments  :  from  theory  to  practice 

M.  LEMOINE,  K.  BECHANE  ONERA-CERT,  Departement  d’Etudes  et  de 

Recherches  en  Informatique,  Toulouse, 
FR 

43  :  M^thodologie  de  decomposition  d’application  de  navigation 

critique  en  elements  simples 

Break-down  methodology  for  flight  critical  applications  into 
elementary  components 

B.  CHAVANA,  CROUZET  SA,  Valence,  FR 

F.  de  SAINTE  MARESVILLE 

44  :  Fault  tolerance  via  fault  avoidance 

B.D.  BRAMSON  RSRE,  Malvern,  Korcs,  UK 


SESSION  V  -  SYSTEM  VALIDATION,  SIMULATION  AND  FLIGHT  TEST  EXPERIENCE 
Chairman  :  Dr.  G.T.  SCHMIDT  (US) 

51  :  Piloted  simulation  verification  of  a  control  reconfiguration 

strategy  for  a  fighter  aircraft  under  impairments 

R.  MERCrtDANTE  Grumman  Aircraft  Systems  Division, 

Bethpage,  NY,  USA 

52  :  Flight  test  results  of  failure  detection  and  isolation  algorithms 

for  a  redundant  strapdown  inertial  measurement  unit 

F.R.  MORRELL  NASA  Langley  Research  Center,  Hampton, 

VA,  USA 

P.R.  MOTYKA  The  Charles  Stark  Draper  Laboratory, 

Inc.,  Cambridge,  MA,  USA 

M.L.  BAILEY  PRC  Kentron  International,  Hampton, 

VA,  USA 
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53  :  Flight  demonstration  of  a  self-repairing  flight  control  system  in 

a  KASA  F-15  fighter  aircraft 

J>H>  l/RMES  McDonnell  Aircraft  Company,  St  Louis, 

MO,  USA 

J.  STEWART  NASA  Ames  Research  Center,  Dryden 

Flight  Research  Facility,  Edvards  AFB, 
CA,  USA 

R.  ESLINGER  Wright  Research  and  Development 

Center,  (WDRC/FIGL),  Vright-Patterson 
AFB,  USA 

54  :  Flight  testing  of  a  redundant  experimental  FbW/FbL  helicopter 

control  system 

G.  MAN'SFELD,  H.  BECKER  DFVLR,  Institut  fur  Flugfuhrung, 

K.  BENDER,  K.D.  HOLLE  Braunschweig,  GE 

55  ;  Un  systeme  dc  references  primaires  de  haute  integrite 

A  high  integrity  flight  data  system 

J.L.  ROCH,  J.  CONTET  CROUZET  SA,  Valence,  FR 
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